Talos Vulnerability Report

TALOS-2017-0309

August 4, 2017

CVE Number

CVE-2017-2812

Summary

A code execution vulnerability exists in the kdubufferedexpand function of the Kakadu SDK 7.9. A specially crafted JPEG 2000 file can be read by the program and can lead to an out of bounds write causing an exploitable condition to arise.

Tested Versions

Kakadu SDK 7.9 - OSX & Linux

Product URLs

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-131: Incorrect Calculation of Buffer Size

Details

Kakadu SDK is a commercial solution for the parsing and handling of JPEG 2000 images. This software is used by many high profile companies in the handling of JPEG 2000 images, including Apple. This vulnerability could have a large impact due to the number of users using this SDK to handle their images.

The JPEG 2000 format begins with a header describing the data that will be presented in the rest of the file. The header is parsed by scanning through, finding a marker, and parsing the data based off of the type of marker. The size of the current markers data is presented immediately following the marker itself. The vulnerability arises when the parser gets to the contiguous codestream section of the Jpeg2000 image. The codestream size is not checked and is overly large leading to excessive parsing of data erroneously. An outline of the vulnerable image is shown below.

As can be seen the size parameters are overly large for a file of only 100 bytes. The program then goes into a loop using these sizes and allocates working buffers based off of the data these sizes point to.

The vulnerability arises in the fact that after multiple iterations of the loop the data_value being read at [1], is zero thus the size calculation is zero at [2], and the buffer being allocated is of size 31 rather than the necessary size. When this buffer is used again for calculations it access beyond the bounds of the buffer and into memory in various places including potential calls and writes leading to a highly exploitable condition. Using a safe malloc implementation the crash is shown below.